Memo: Train your staff on the use of password management software

Aligned Risk Management recommends password management software for all staff and especially for staff who work with a large number of external web application accounts.

  • A password manager can help encourage the use of long, complex, and unique passwords.
  • A password manager can reduce the need for users to commit their passwords to memory, making it less likely that they could expose their passwords inadvertently to social engineering attackers.
  • Automated password managers will fail to populate password fields on look-alike phishing pages, which can alert users that they are not accessing the system they expected.
  • Best practices recommended by the National Institute of Standards and Technology (NIST) endorse the use of password managers.

“Verifiers SHOULD permit claimants to use ‘paste’ functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.”

National Institute of Standards and Technology, NIST Special Publication 800-63-3: Digital Identity Guidelines.


How our company’s public exposure benefited from the government shutdown

Sit back, relax, and read my story about how the Aligned Risk Management team was able to benefit in a most unexpected way from the recent government shutdown.

The longest partial government shutdown in the history of the United States was ended recently. It began on December 22, 2018 after Democrats refused to support a new temporary continuing resolution in the Senate that included approximately $5 billion for the new border wall. Lasting 35 days, the deadlock was resolved on January 25, 2019.

With a 1980 interpretation of the 1884 Antideficiency Act, a “lapse of appropriation” caused by political impasse on proposed appropriation bills requires that the federal government curtail agency activities and services, close down non-essential operations, furlough non-essential workers, and only retain essential employees in departments covering the safety of human life or the protection of property.

This lapse of appropriation impacted the National Institute of Standards and Technology. NIST is a physical sciences laboratory, and a non-regulatory agency of the US Department of Commerce. Its mission is to promote innovation and industrial competitiveness. The institute’s activities are organized into laboratory programs. For our purposes, we’re going to focus on the institute’s information technology standards.

NIST has published a great number of excellent standards followed by innumerable business, government agencies, and the like. They’re referred to as NIST Special Publications, which are a type of publication issued by NIST. Specifically, the Special Publication 800-series reports on the Information Technology Laboratory’s research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations

Just days before the shutdown, NIST released the highly anticipated Risk Management Framework 2.0. Because of the shutdown, this directly impacted the availability of this new document as the NIST website was partially taken offline.

For about 35 days, the Aligned Risk Management team […] were unable to review certain NIST Special Publications […].

For about 35 days, the Aligned Risk Management team and the entire country were unable to review certain NIST Special Publications that serve as standards for the information technology industry and related fields.

Aligned Risk Management takes great pride in consolidating the best industry practices in information technology, security, and privacy, and relies on standards set by NIST and other trusted bodies. As such, we were among those that were anticipating the release of the Risk Management Framework 2.0. We published a story related to the release.

Segue.

Everyone these days is aware of Search Engine Optimization, or SEO. Do your keywords right and you’ll show up better in search results. As a result of our increased focus on our own SEO, the unavailability of the NIST site allowed Aligned Risk Management to pick up on some of the NIST-specific keyword traffic during the shutdown.

Aligned Risk Management’s quantifiable benefits resulting from the partial government shutdown, in the form of Google analytics.

The unavailability of certain web-pages caused Google, Bing, DuckDuckGo, and other search engines to penalize the cached listings of NIST in search results. The timing was perfect, and Aligned Risk Management picked up considerable traffic for search terms related to the NIST Risk Management Framework 2.0 for obvious reasons: our page was available and theirs wasn’t.

In unrelated news, here’s our copy of NIST Special Publication 800-63-3: Digital Identity Guidelines. You know, just in case.

The team at Aligned Risk Management wish to thank President Donald Trump, Speaker of the House Nancy Pelosi, and the United States Senate for allowing us to take such great leaps in public exposure. We promise to use this newfound publicity wisely.

That’s my story. Thanks for reading.

NIST Risk Management Framework 2.0 Updates Cyber-Security Policy

The final version of the NIST Risk Management Framework 2.0 is now available, providing government agencies and commercial enterprises alike with new guidance that aligns risk, privacy and cyber-security controls.

The National Institute of Standards and Technology is out with the final version of its Risk Management Framework (RMF) 2.0 update, providing organizations with new detailed insight into how to define and manage risk.

RMF 2.0 was officially released on Dec. 20 and follows seven months of consultation and comments. RMF 2.0 is formally titled NIST Special Publication (SP) 800-37 Revision 2 and outlines how federal agencies and those that wish to align with the standard can address security and privacy risk management. Among the key additions in the RMF 2.0 updates is an alignment and integration with the NIST Cybersecurity Framework, which outlines controls and processes that should be used by U.S. government agencies.

“RMF 2.0 gives federal agencies a very powerful tool to manage both security and privacy risks from a single, unified framework,” NIST’s Ron Ross, one of the publication’s authors, wrote in a media advisory. “It ensures the term compliance means real cybersecurity and privacy risk management—not just satisfying a static set of controls in a checklist.”

RMF 2.0 itself is a lengthy report of 183 pages that is freely available. The report noted that organizations implementing the RMF will be able to maximize the use of automated tools to manage security categorization as well as control selection, assessment and monitoring.

“The RMF provides a dynamic and flexible approach to effectively manage security and privacy risks in diverse environments with complex and sophisticated threats, evolving missions and business functions, and changing system and organizational vulnerabilities,” the RMF states. “The framework is policy and technology neutral, which facilitates ongoing upgrades to IT resources and to IT modernization efforts—to support and help ensure essential missions and services are provided during such transition periods.”

The RMF 2.0 includes a long list of tasks that includes an outline of risk management roles within an organization as well as strategy. Identifying common controls as well as having a continuous monitoring strategy is another key component that is part of RMF. Risk itself is at the core of RMF 2.0, with the requirement that organizations execute a risk assessment that includes all assets that need to be protected.

“As a key part of the risk assessment, assets are prioritized based on the adverse impact or consequence of asset loss,” RMF 2.0 states. “The meaning of loss is defined for each asset type to enable a determination of the loss consequence (i.e., the adverse impact of the loss).”

Industry Reaction

NIST’s guidelines for cyber-security have become foundational elements in the product portfolios of multiple vendors that align their offerings to help enable organizations with governance, risk and compliance (GRC) needs. Multiple industry experts contacted by eWEEK were enthusiastic about the improvements made in the RMF and how it will help improve cyber-security overall.

“We view the NIST Risk Management Framework (RMF) as further refinement of NIST’s message around the practice of risk management and a bridge in the continuation of their guidance encompassing security of the organization, individual privacy, and organization-wide risk management,” Steve Schlarman, risk management strategist at RSA, told eWEEK. “We have long been committed to the belief that in order to effectively and efficiently manage information security, you have to take a risk-based approach.”

McAfee’s chief policy officer and head of government affairs, Tom Gann, is also supportive of RMF 2.0. He noted that the NIST Cybersecurity Framework presents a rational, step-by-step approach to identifying and managing an organization’s cyber-security risk. 

Abdul Rahman, chief data scientist at Fidelis Cybersecurity, commented that from his perspective looking at the RMF 2.0 update, the focus is on enhancing the protection of individuals’ sensitive data. 

“Organizations need to go beyond threat prevention—we’ve already seen that preventive tools alone don’t suffice against motivated and sophisticated attackers,” Rahman told eWEEK.

Istvan Molnar, product marketing manager and compliance specialist at One Identity, also sees as noteworthy the emphasis on privacy in RMF 2.0. Molnar said the RMF 2.0 document specifically calls out the need for organizations to “consider how to best promote and institutionalize collaboration between the two Privacy and Information Security programs to ensure that the objectives of both disciplines are met at every step of the process.”

“It’s also noteworthy that the report not only refers to access but also ‘system activity or behavior’ going a step further than simply focusing on controlling access to data,” Molnar told eWEEK. “Additionally, the framework promotes the notion of designing risk management into the security and privacy capabilities of information systems throughout the system development life cycle.”

For Meerah Rajavel, CIO at Forcepoint, there are three key takeaways from RMF 2.0. The first is that digital and cyber-security are becoming center seat in the boardroom. 

“The RMF Revision 2.0 focusing on linkage and communication to the C-suite governance, and providing guidance on the synergy between Cybersecurity & Risk Management framework, can help elevate the CISO and CIO to be more powerful at the boardroom table,” Rajavel told eWEEK.

She added that the second aspect of interest is the focus on the IT/OT and supply chain, which are crucial to protect critical infrastructure that affects civilians and the economy.  

“The third element, which is inspiring in lieu of many recent events, is linking privacy to risk, which helps other compliance and regulations like GDPR, CA Privacy Act, etc.,” she said.

“NIST Risk Management Framework 2.0 Updates Cyber-Security Policy”. eWeek. QuinStreet, Inc. Retrieved December 27, 2018.

Memo: about two-factor authentication

Two-factor authentication (2FA), or multi-factor authentication, is a security process in which the user provides two means of identification from separate categories of credentials; one is something memorized, such as a security code or password, and the other is typically a physical token, such as a card or a previously-authenticated smartphone.

A common example of two-factor authentication is the ATM card most consumers are familiar with. In order to authorize a transaction, the user must present the ATM card (a physical token) and also enter a PIN (a memorized secret). Neither the card alone nor the PIN alone will suffice to authorize a transaction, and it is unlikely that an attacker could obtain both simultaneously.

Stolen passwords are a very common vector for online attacks. Two-factor authentication can drastically reduce the effectiveness of password-related exploits, because stealing a password is not enough to give an attacker access to protected information.

True two-factor authentication requires that the factors be chosen from separate categories of credentials. The three commonly recognized categories are

  • “something you know” (e.g., a password)
  • “something you have” (e.g., a pre-registered smartphone), and
  • “something you are” (e.g., a fingerprint)

Most two-factor authentication today works by leveraging the second category in the form of a physical token or pre-registered smartphone. Smartphone-based solutions are popular since they work with a device most users already carry with them and protect zealously.

Numerous inexpensive 2FA solutions, some based on open standards, are gaining rapid adoption:

  • U2F security keys, an open standard for inexpensive USB tokens, industry leaders, like Yubico and Google.
  • Smartphone apps, usually free, that implement the open standard TOTP protocol (see below). Google Authenticator and Symantec VIP are commonly used.
  • Proprietary solutions, including Microsoft Azure and Duo.

Pre-registered knowledge tokens (PKTs), commonly known as “security questions,” are of the same category as passwords (“something you know”) and cannot be combined with passwords to provide true two-factor authentication.

Two-factor authentication does not replace passwords. Good password practices are still essential, but two-factor authentication can significantly reduce the risk of weak passwords.

Some 2FA solutions work by transmitting a one-time password over a different communication channel, such as via SMS to a pre-registered mobile phone. This is true two-factor authentication, but poor security practices by mobile service providers introduce the risk that the one-time password could be intercepted by an attacker.

More secure solutions can generate one-time passwords without having to transmit them, thus eliminating any risk that they could be intercepted. Transmitting one-time passwords via SMS has been deprecated by the latest NIST cybersecurity guidelines. Non-transmitting solutions should be preferred whenever available.

Cryptographic certificates, when generated and installed by properly authorized administrators, are of the same category as physical devices (“something you have”) and can be used in combination with passwords to implement two-factor authentication. Although a certificate is only data (like a password), it is tied closely to the physical device on which it is installed and it is difficult for the user to access, memorize, or inadvertently breach. The threat of unauthorized cloning does need consideration, but in general, enrolling a trusted device by installing a cryptographic certificate can be a cost-effective and very secure way to implement two-factor authentication.

 

Memo: SOC vs NIST

NIST SP 800-30: Guide for Conducting Risk Assessments

NIST Special Publication 800-30 provides guidance for conducting risk assessments of federal information systems and organizations, amplifying the guidance in Special Publication 800-39. Risk assessments, carried out at all three tiers in the risk management hierarchy, are part of an overall risk management process—providing senior leaders/executives with the information needed to determine appropriate courses of action in response to identified risks.

NIST SP 800-53: Recommended Security Controls for Federal Information Systems and Organization

Everyone interested in advancing design and planning of IT systems must become knowledgeable of the accomplishments of NIST by reading their Special Publication 800-series reports. The 800-series reports on ITL’s research, guidelines, and outreach efforts in information system security, and collaborative activities with industry, government, and academic organizations. The NIST Special Publication 800-53 “Recommended Security Controls for Federal Information Systems and Organization” list pages of specific controls that would be considered in the preparation of a standardized list of IT system controls for the private sector.

NIST SP 800-66: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

The HIPAA Security Rule specifically focuses on the safeguarding of electronic protected health information (EPHI). All HIPAA covered entities, which include some federal agencies, must comply with the Security Rule, which specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule. The EPHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures.

Special Publication 800-66 Revision 1, which discusses security considerations and resources that may provide value when implementing the requirements of the HIPAA Security Rule, was written to:

  • Help to educate readers about information security terms used in the HIPAA Security Rule and to improve understanding of the meaning of the security standards set out in the Security Rule.
  • Direct readers to helpful information in other NIST publications on individual topics addressed by the HIPAA Security Rule.
  • Aid readers in understanding the security concepts discussed in the HIPAA Security Rule. This publication does not supplement, replace, or supersede the HIPAA Security Rule itself.

Service Organization Controls (SOC)

The American Institute of Certified Public Accounts (AICPA) has developed and adopted a set of guidelines and regulations for CPA audits in response the requirements of the Gramm-Leach-Bliley Act entitled, Service Organization Controls (SOC).  SOC is divided into two general types of audits SOC 1 and SOC 2 that are described on this site in detail.  SOC  is very specific as to the types of assessments that are to be made for each type of audit. SOC guidelines and regulations do not define the controls to be evaluated as part of an accounting audit to the same depth as controls identified by NIST.

SOC 1 audits according to the requirements of SSAE No. 16 reports  ”On Controls at a Service Organization” that is processing private and nonpublic data that is personal for it’s customers. The controls obviously would vary differently in approach even though there would be some overlap.  Standardizing would require developing different categories of controls for each type of audit.

SOC 2 audits deal with five different concerns: security, availability, integrity, confidentiality, and privacy. There are specific controls that come into play for each of these areas include overlap of controls to prevent possible financial theft, timely transmission, intrusion/manipulation, limited access and nondisclosure.

Concluding Notes

SOC guidelines and regulations do not define the controls to be evaluated as part of an accounting audit to the same depth as controls identified by NIST.

Aligned Risk Management follows NIST SP 800-30, the framework for conducting risk assessments, and evaluates and reports on controls aligned to NIST SP 800-53 and NIST SP 800-66.

This article contains direct quotes and information from the National Institute of Standards and Technology (NIST), Integrated Accounting Services.

“SP 800-30: Guide for Conducting Risk Assessments”. National Institute of Standards and Technology. Retrieved September 4, 2018.

“SP 800-66: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule”. National Institute of Standards and Technology. Retrieved September 4, 2018.

“NIST Special Publication 800-53”. National Institute of Standards of Technology. Retrieved September 4, 2018.

“Information Technology Laboratory”. Integrated Accounting Services. Retrieved September 4, 2018.